// Trust & Security Report

    Hi Bob, Inc. (formerly Mosaic.tech, Inc. — acquired by HiBob February 2025) logo

    Hi Bob, Inc. (formerly Mosaic.tech, Inc. — acquired by HiBob February 2025)

    Mosaic Finance: AI-powered FP&A (Financial Planning & Analysis) platform with 150+ pre-built metrics, 3-statement models, headcount planning, and scenario planning. Now integrated as the Finance module within HiBob's all-in-one HR + Payroll + Finance platform (Bob). Sub-products: Core HR (Bob), Talent, Payroll & Benefits, Planning, Finance (Mosaic), Bob AI Companion.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We undergo routine audits to receive updated SOC 2 Type II reports, available upon request and subject to a signed NDA.

    Verify on hibob.com
    ISO 27001:2022
    HELD

    HiBob is ISO 27001:2022, ISO 27018:2019, and SOC2 Type 2 certified.

    Verify on hibob.com
    ISO 27018:2019
    HELD

    ISO 27018:2019 certified. Resources available: ISO 27018:2019 Certificate.

    Verify on hibob.com
    GDPR (compliance posture)
    HELD

    DPA available (pre-signed via DocuSign). Hi Bob, Inc. complies with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework. Data stored primarily in AWS Ireland and AWS Frankfurt.

    Verify on hibob.com
    > Show 7 unconfirmed / not-held certifications
    SOC 1 Type II
    NOT CONFIRMED

    Mentioned once in AI Trust Center page alongside other standards ('SOC2 type 2, and SOC1 type 2') but not listed or documented on the main security page. Cannot confirm as a standalone audit report.

    source: hibob.com
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification on vendor domain.

    source: hibob.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    Mentioned once in AI Trust Center as one of several standards followed ('HiBob follows industry best practices, including...ISO42001') but no certificate details, audit date, scope, or accredited body are provided. Cannot confirm as a held certification; may be aspirational framing.

    source: hibob.com
    HIPAA
    NOT CONFIRMED

    Mentioned only in the AI Trust Center page alongside other compliance standards but absent from the main security page. Pre-acquisition, mosaic.tech was explicitly described as 'not HIPAA or FedRAMP certified' by third-party assessors (cfoshortlist.com). Cannot confirm held for the post-acquisition integrated platform without explicit HiBob documentation.

    source: hibob.com
    PCI DSS
    NOT CONFIRMED

    Security page states HiBob hosts data in 'AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant' — this is AWS's own certification, not HiBob's. HiBob itself makes no PCI DSS claim.

    source: hibob.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on vendor domain.

    source: hibob.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification on vendor domain.

    source: hibob.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    AWS Ireland (primary), AWS Frankfurt/Germany (backup/DR). Privacy policy lists US, EU, UK, Australia, Canada, and Israel as possible processing locations for corporate/admin data.

    AI Trust Center explicitly states: 'Our customers' data is not stored outside of the HiBob environment and is not used to train the third-party publicly accessible generative AI models. Customer data sent to AI providers is not stored or logged — ever. Data is processed strictly for the purpose of generating a response. No data is used to train AI models.' Admins can selectively disable or enable AI features per the AI Settings page. This zero-retention / no-training policy applies to the Bob AI Companion and all AI-powered features within the platform, which includes the Mosaic Finance module.

    // Security controls

    Encryption in transit

    HTTPS/TLS 1.2 or higher for all UI and API communications

    hibob.com

    Encryption at rest

    AES-256 via AWS KMS. Two layers: RDS data encryption (KMS AES-256) and application-layer encryption for financial and salary data (KMS AES-256)

    hibob.com

    Data hosting

    AWS Ireland (primary), AWS Frankfurt/Germany (DR). No on-premise option.

    hibob.com

    Access controls

    Role-based access control (RBAC). Production network access restricted to need-to-know with MFA. Least-privilege enforced.

    hibob.com

    Authentication

    Native HiBob auth and/or Enterprise SSO (2FA recommended). MFA required for internal production access.

    hibob.com

    Penetration testing

    Annual third-party penetration tests on production and corporate networks. Summary available under NDA.

    hibob.com

    Bug bounty

    Partnership with Bugcrowd for responsible disclosure program

    hibob.com

    Data backup

    At least daily backups of all data. Fully restorable for disaster recovery. DR location: AWS Frankfurt.

    hibob.com

    SIEM and monitoring

    24/7 SIEM with IDS/IPS. Dedicated globally distributed security team on call 24/7.

    hibob.com

    Vulnerability management

    Continuous third-party dynamic scanning, static code analysis, OWASP Top 10 controls, annual secure code training for engineers.

    hibob.com

    Employee vetting

    Reference checks, NDAs, and confidentiality agreements for all new hires and contractors.

    hibob.com

    EU-US Data Privacy Framework

    Hi Bob, Inc. is certified under EU-US DPF, UK Extension to EU-US DPF, and Swiss-US DPF

    hibob.com

    // Products & data scope

    Mosaic Finance (FP&A)Financial Planning & Analysis

    data: Financial data including budgets, actuals, headcount costs, vendor spend, 3-statement financial models. Integrates with HR data (salaries, headcount) from HiBob Core.

    Formerly independent mosaic.tech; acquired by HiBob February 2025 for $35M. mosaic.tech domain now redirects to hibob.com/finance/. Targets mid-market finance teams (Series A-C SaaS companies). Pricing: Analytics $3K-6K/mo, Planning $6K-12K/mo, Growth $12K-25K/mo.

    Bob AI CompanionAI Assistant (HR + Finance)

    data: Reads HR and finance data within the HiBob environment. Zero-retention policy: no data sent to AI providers is stored or used for training.

    AI features are configurable per feature via admin AI Settings page. Admins can disable individual AI features. All AI features use pre-approved sub-processors.

    Core HR (Bob)HRIS

    data: Employee personal data, documents, time & attendance, workflows, onboarding/offboarding records.

    Primary HR system of record. 5,000+ company customers. #1 Mid-Market HRMS per G2 2026.

    Payroll (Bob Payroll)Payroll

    data: Salary and compensation data, tax data, benefits data for UK and US payroll. Financial data encrypted separately with KMS AES-256.

    Includes native UK payroll (acquired Pento 2024) and US payroll, plus integrations with global payroll providers.

    Talent (Bob Talent)Talent Management

    data: Recruitment data, performance reviews, survey responses, learning records.

    AI-powered surveys and calibration tools. Performance data feeds into Bob AI Companion insights.

    // What to watch

    • IDENTITY CONFLATION RISK: Slug 'mosaic' could be confused with at least three unrelated companies sharing the name: mosaicapp.com (resource/project management tool with its own Drata trust center), mosaicsmartdata.com (data analytics), and mosaic.pe. The vendor assessed here is specifically mosaic.tech (FP&A platform), now integrated into HiBob as hibob.com/finance/. Any cert attributed to mosaicapp.com or others must NOT be applied to this vendor.
    • POST-ACQUISITION INTEGRATION: HiBob acquired mosaic.tech in February 2025 for $35M. All mosaic.tech URLs (including /security, /privacy-policy) now redirect with HTTP 301 to hibob.com. Assessment therefore covers HiBob's security posture. It is unclear whether HiBob's certs have been formally rescoped to include the Mosaic Finance product specifically, or whether the Finance module runs within the same certified environment as the core Bob platform.
    • HIPAA POSSIBLE OVER-CLAIM: HIPAA is listed in the AI Trust Center page alongside other standards but is absent from the dedicated security page. Pre-acquisition, mosaic.tech was explicitly described as 'not HIPAA or FedRAMP certified' by third-party sources. Whether HiBob's HIPAA posture now covers the Finance module is unverified. Graded held=false until explicit documentation (BAA availability, audit scope) is provided.
    • ISO 42001 UNVERIFIED: ISO/IEC 42001 (AI Management System) is mentioned once in the AI Trust Center page in a list of 'industry best practices' but no certificate, accreditation body, audit date, or scope statement is provided anywhere on the vendor domain. Graded held=false; may be aspirational.
    • SOC 1 TYPE II UNVERIFIED: Mentioned only in AI Trust Center page alongside other standards. Not listed on the main security page. No report availability statement. Cannot confirm as a standalone audit.
    • HOST-CERT AMBIGUITY: HiBob security page states data is hosted in 'AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant.' PCI DSS and the infrastructure ISO/SOC certs cited are AWS's own certifications, not HiBob's. HiBob does not separately claim PCI DSS for its own services.
    • NDA GATING: SOC 2 Type II report and penetration test summary both require a signed NDA to access. This is industry-standard practice but means no public independent verification is possible for the SOC 2 scope or opinion.
    • AI GOVERNANCE MARKETING VS CERT: The AI Trust Center page uses certification-like language ('HiBob follows industry best practices, including ISO 27001, ISO27018, ISO42001, HIPAA, GDPR, SOC2 type 2, and SOC1 type 2') that implies all items are held certifications. In reality, only ISO 27001:2022, ISO 27018:2019, and SOC 2 Type II are explicitly confirmed on the security page. The remaining items may be frameworks followed rather than audited certifications.

    // At a glance

    Pricing model

    Subscription SaaS. Mosaic Finance tiers: Analytics ~$3K-6K/mo, Planning ~$6K-12K/mo, Growth ~$12K-25K/mo plus $5K-15K implementation. Multi-year discounts of 40-50% reported. Post-acquisition pricing trajectory expected to increase 15-25% for new customers.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Hi Bob, Inc. (formerly Mosaic.tech, Inc. — acquired by HiBob February 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    hibob.com

    > Browse all vendor trust reports